HI,
I've never used Categories before and would like to see how people use those in their aliases and firewall rules.
It is probably very personal how you put things under different categories and even the color choices :)
Getting some ideas would be helpful to avoid me to change those too often at the beginning while I make up my mind...
Thanks for any input.
I only used them for special purposes eg DNS redirection/blocking, but I stopped using it times ago... The only category I am actually using is 'Temp' and 'Test' to visualize temporarily used rules or those for testing purposes.
I use them to create like "Categories of rules" for easier lookups and identification. They are basically a TAGs I TAG a Rule or a Alias.
For example I use even multiple TAGs on a rule or Alias, Like if I have a game server that is outside on my LAN I TAG it > GAME & INTERNET
If you have a lot of rules, or Aliases, using Categories searching by them makes my live easier.
(https://forum.opnsense.org/index.php?action=dlattach;topic=39237.0;attach=33358)
Regards,
S.
Quote from: Seimus on March 05, 2024, 10:41:43 AM
I use them to create like "Categories of rules" for easier lookups and identification. They are basically a TAGs I TAG a Rule or a Alias.
For example I use even multiple TAGs on a rule or Alias, Like if I have a game server that is outside on my LAN I TAG it > GAME & INTERNET
If you have a lot of rules, or Aliases, using Categories searching by them makes my live easier.
(https://forum.opnsense.org/index.php?action=dlattach;topic=39237.0;attach=33358)
Regards,
S.
Nice. I've just started working on rewriting all of my aliases, rules, etc to take advantage of categories and groups for exactly those reasons.
Did you tag things with Block-Google-DNS and DNS or just the former?
Actually, that specific example you mentioned I used Both.
DNS TAG, is used for TAGing aliases that contained DNS servers or DNS ports. As well specific Rule for hosts to access DNS
Block-Google-DNS TAG, was a special one that was used only on a RULE that blocked IoT devices to reach Google Based DNS servers, this was from time I had a lot of IoT and very basic rules. It served to prevent those spammers to not use any other DNS server other than provided the one via DHCP. I still have that rule just as counter, to see what device tries to go to Google DNS. Otherwise as I redone most of my network with VLANs and specific rules even if this rule is taken out, only local DNS is permitted.
I know a bit redundant now - was from my time when I was migrating to new HW, VLANs and declared a crusade against ioT devices in my network
Oh and one advice, if you are going to redo Categories, or Allies or Rules.
I use underscore _ for describing objects
I use dash - for describing descriptions
Categories here even thou can be considered as object I describe as a description cause, they attach to object and serve as descriptions :)
Another nice thing is to format the description the way is very easy identify what is it doing for example:
Allow-any-VLAN-to-WEB-HTTPs
Allows any Interface in a FW group VLAN to HTTPs based websites.
Allow-HOST-CONSOLE-to-GAMEs
Allowes only Interfaces HOST & CONSOLE in a FW group VLAN to dedicated game servers
Allow-Hosts-to-MGMT-SSH
Allows only certain Hosts on HOST interface specified in an Alias to access SSH port towards MGMT interface
It helps my live as well to be easier when I keep some formatting
Regards,
S.
I do not use categories for aliases, because one and the same object is frequently used in rules that fall into different categories. I do use semantic naming for aliases:
Port_Web -- 80, 443
Host4_Proxy
Net6_Restricted
...
I use categories for rules like in the screen shot.
HTH
Patrick
Quote from: Seimus on March 05, 2024, 05:48:57 PM
Actually, that specific example you mentioned I used Both.
DNS TAG, is used for TAGing aliases that contained DNS servers or DNS ports. As well specific Rule for hosts to access DNS
Block-Google-DNS TAG, was a special one that was used only on a RULE that blocked IoT devices to reach Google Based DNS servers, this was from time I had a lot of IoT and very basic rules. It served to prevent those spammers to not use any other DNS server other than provided the one via DHCP. I still have that rule just as counter, to see what device tries to go to Google DNS. Otherwise as I redone most of my network with VLANs and specific rules even if this rule is taken out, only local DNS is permitted.
I know a bit redundant now - was from my time when I was migrating to new HW, VLANs and declared a crusade against ioT devices in my network
Oh and one advice, if you are going to redo Categories, or Allies or Rules.
I use underscore _ for describing objects
I use dash - for describing descriptions
Categories here even thou can be considered as object I describe as a description cause, they attach to object and serve as descriptions :)
Another nice thing is to format the description the way is very easy identify what is it doing for example:
Allow-any-VLAN-to-WEB-HTTPs
Allows any Interface in a FW group VLAN to HTTPs based websites.
Allow-HOST-CONSOLE-to-GAMEs
Allowes only Interfaces HOST & CONSOLE in a FW group VLAN to dedicated game servers
Allow-Hosts-to-MGMT-SSH
Allows only certain Hosts on HOST interface specified in an Alias to access SSH port towards MGMT interface
It helps my live as well to be easier when I keep some formatting
Regards,
S.
Interesting. So far I'm just using basic categories such as DNS, NTP, Wifi, etc. I'm not sure what you mean by your suggestion regarding _ and -. Is Allow-Hosts-to-MGMT-SSH an alias of hosts or some sort of rule name?
Quote from: Patrick M. Hausen on March 06, 2024, 03:53:18 PM
I do not use categories for aliases, because one and the same object is frequently used in rules that fall into different categories. I do use semantic naming for aliases:
Port_Web -- 80, 443
Host4_Proxy
Net6_Restricted
...
I use categories for rules like in the screen shot.
HTH
Patrick
I'm using aliases similarly to you, but I hadn't considered how you're using categories. I'll have to give it a try.
Quote from: CJ on March 06, 2024, 04:02:04 PM
Interesting. So far I'm just using basic categories such as DNS, NTP, Wifi, etc. I'm not sure what you mean by your suggestion regarding _ and -. Is Allow-Hosts-to-MGMT-SSH an alias of hosts or some sort of rule name?
Allow-Hosts-to-MGMT-SSH is a description of the Rule, for descriptions I use "
-" if it has multiple words
DNS_Servers is a name of Alias "object", for object I use "
_" if it has multiple words
Regards,
S.
Thanks all for sharing.